Hi Jeremy,
You are the second person to report problems with this check on ossec, so I guess there might be something wrong in there. Are these ports opened and closed very fast or are they supposed to be always open? From your e-mail, I get the impression that they are always opened and listening. If you do a netstat and grep for port 43385, can you see it there? There is no way to disable these checks for one specific interface... The following post explains how we do these checks: http://www.ossec.net/ossec-list/2007-January/msg00075.html *Which OS + uname -a do you have? Thanks, Daniel B. Cid dcid ( at ) ossec.net On 1/29/07, Jeremy Melanson <[EMAIL PROTECTED]> wrote:
Hello all. I have several machines in a high-capacity Oracle database environment that I have running with OSSEC. The machines have a separate, dedicated network for that Oracle uses for heartbeat and replication. The interfaces that are connected to this network often have arbitray high-ports enabled and listening, which produces alerts similar to the following: OSSEC HIDS Notification. 2007 Jan 29 13:12:04 Received From: (pkdb2) 192.168.16.212->rootcheck Rule: 14 fired (level 8) -> "Rootkit detection engine message" Portion of the log(s): Port '43385'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. --END OF NOTIFICATION What I'm trying to figure out is if there might be any way to disable RootCheck on a specific network interface. ----- Jeremy
